US-CERT embracing new, more holistic approach to cybersecurity

By William Jackson

Apr 22, 2009

SAN FRANCISCO — The director of the U.S. Computer Emergency Readiness Team (US-CERT), tasked with keeping an eye on the country’s critical cyber infrastructure and coordinating responses, said her organization is moving to a more holistic collaborative approach to security, emphasizing prevention over response.

“Incident response should be rare,” said Mischel Kwon. “Forensics should not be the norm.” Kwon, speaking Wednesday at the RSA Conference, said US-CERT has been using methodologies focused on individual incidents and vulnerabilities rather than looking at the larger picture and protecting the missions of the government networks it is guarding.

A virus or other piece of malware is only the tip of the iceberg. “We need to understand that malware is just a piece of a larger critical plan,” she said. “The traffic is not all we must analyze. We must analyze the behavior, the holistic, big view.”

Getting that big picture often is not easy. There is always more information that could be gathered, things that observers do not know about an attack or other situation. But gathering, using and sharing all of the available information can help to evaluate situations early and mitigate them before problems occur. Processes adopted by US-CERT look at separate incidents without putting them into context, Kwon said.

She described the process now followed by US-CERT as a “Jackson Pollock methodology,” referring to the abstract artist whose paintings often look like splashes, drips and blobs. Analysts throw things at the wall, look for patterns and then try to clean up the mess, she said.

“Today we use a taxonomy that is out of date,” and prioritize and escalate incidents according to outdated criteria, she said. “We do not escalate until three or more departments or agencies have been affected. We’re not taking risk into account.”

A single agency where root access has been gained, for example, probably is a greater risk than three agencies infected with adware.

“We need to rethink how we prioritize incidents and events,” she said, taking into considerations the “who” and “why” of an incident as well as the technology involved.

US-CERT is doing that by looking at the mission of the agency or system being protected, who the likely enemies would be, what tools they will have at their disposal, the types of attacks possible, and the vulnerabilities to be exploited. By looking at as much information as possible according to these criteria, US-CERT should be able to quickly identify and prioritize incidents for a more effective response, she said.

Doing this requires a greater degree of cooperation than generally found within and among security organizations, Kwon said. Complete openness might not be possible because some information is classified, she said. But most of it is available for sharing and must be shared to make it valuable.

“We have to stop isolating ourselves as security experts,” and learn to play better with other security groups and nonsecurity organizations. “This is a team sport.”